Threat actors have taken phishing to the next level by weaponizing custom Microsoft 365 applications to request sensitive information from users. User is taken to a legitimate Microsoft authentication page, making the phishing attack more convincing.

In a recent phishing attempt, Cofense researchers spotted an email disguised as a communication from a company's HR department, prompting recipients to review an updated employee handbook.

Poco RAT was first categorized on February 7, 2024, and has since targeted customers in multiple sectors, with Mining being the primary focus. One company was the most targeted, responsible for 67% of the total volume of campaigns.

STR RAT is a Java-based remote access trojan (RAT) that was first seen in 2020. It grants threat actors complete control over an infected machine, allowing them to perform keylogging, steal credentials, and deliver additional malware.

The phishing campaign uses a multi-step process to steal account information, including the user's Meta business email, page name, owner details, financial information, and ultimately the account password.

The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident.

An advanced phishing campaign targeting the Oil and Gas industry is distributing the Rhadamanthys Stealer, an uncommon and sophisticated Malware-as-a-Service information stealer.

Threat actors are increasingly using annual responsibilities like open enrollment, 401k updates, and salary adjustments as lures to steal employee credentials through phishing emails.

Phishing campaigns are using tactics previously seen in attacks involving the QakBot trojan to deliver malware families such as DarkGate and PikaBot. These campaigns utilize hijacked email threads, unique URL patterns, and a similar infection chain.

The phishing attack starts with an HTML file disguised as a voice message, which leads to the download of a file hosted on a disguised AWS URL. The attackers initially impersonate Zoom but later switch to spoofing Outlook and Teams login pages.